September 20, 2017

The Government says that the Bill will “empower people to take control of their data”. With individual data rights being strengthened, it is the Government’s view that, as far as possible, existing lawful data processing should be allowed to continue.

According to the Government, the Bill assures specific UK businesses and organisations that the vital data processing they undertake for legal or public interest reasons will continue uninterrupted. It will preserve existing tailored exemptions that have worked well in the Data Protection Act 1998, carrying them over to the new law.

The new law will replace the Data Protection Act 1998 providing a “comprehensive and modern framework” for data protection in the UK, with stronger sanctions for malpractice. It will set new standards for protecting general data, in accordance with the EU’s General Data Protection Regulation, give people more control over use of their data, and provide new rights to move or delete personal data.

It will provide a bespoke framework tailored to the needs of the criminal justice agencies and national security organisations, including the intelligence agencies, to protect the rights of victims, witnesses and suspects while ensuring the UK can tackle the changing nature of the global threats it faces.

The Bill will include exemptions for data processing in the following areas:

• processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded;
• scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions;
• national bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats;
• in the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected; and
• where it is justified, the Bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfil obligations of employment law.

In its recent Statement of Intent, the Government committed to updating and strengthening data protection laws through the Bill to provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80% of people feel that they do not have complete control over their data online.

The Bill introduces a “right to be forgotten” so that individuals can ask for their personal data to be erased. The reliance on default opt-out or pre-selected “tick boxes”, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

The Government says that businesses “will be supported” to ensure they are able to manage and secure data properly. The Information Commissioner’s Office will be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover, in the most serious cases.

Data controllers will be made more accountable for the data they process with the emphasis being placed on personal privacy rights. Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.

Information Commissioner, Elizabeth Denham said: “The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. I will be providing my own input as necessary during the legislative process.” To access the Bill and other relevant documents, click here.